Re: [Full-disclosure] Metrica Service Assurance Multiple Cross Site Scripting

2008/11/9 rholgstad <rholgstad@xxxxxxxxx>:
post auth xss


I don't quite see your point about it being post auth.
The URLs provided don't seem to have csrf tokens or anything else that
actually requires an attacker to have an account, so all you need to
do is find an authed victim, which is what you would have to do anyway
since attacking unauthed victims is usually pretty pointless (not that
you can't still perform useful attacks, but they're not always
possible or simple).

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -